Limit Download and Upload on WAN for every VLAN

I confirm that the configuration below works for PPPoE interface with version VyOS 1.3-rolling-202009220118 but it doesn’t for ethernet interface.

set traffic-policy shaper UPLOAD bandwidth '500mbit'
set traffic-policy shaper UPLOAD class 10 bandwidth '50mbit'
set traffic-policy shaper UPLOAD class 10 ceiling '61mbit'
set traffic-policy shaper UPLOAD class 10 match VLAN10 interface eth4.10
set traffic-policy shaper UPLOAD default bandwidth '400mbit'
set traffic-policy shaper UPLOAD default ceiling '100%'

set interfaces pppoe pppoe0 traffic-policy out 'UPLOAD'

@fegauthier Thank you. It’d be very useful if you could please show the rest of the configuration.

You can hide private data by using

show configuration commands | strip-private

This is my whole configuration

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name IPTV_IN default-action 'drop'
set firewall name IPTV_IN description 'IPTV To Lan'
set firewall name IPTV_IN rule 5 action 'accept'
set firewall name IPTV_IN rule 5 description 'Accept established'
set firewall name IPTV_IN rule 5 log 'disable'
set firewall name IPTV_IN rule 5 protocol 'all'
set firewall name IPTV_IN rule 5 state established 'enable'
set firewall name IPTV_IN rule 5 state related 'enable'
set firewall name IPTV_IN rule 10 action 'accept'
set firewall name IPTV_IN rule 10 description 'Allow IGMP'
set firewall name IPTV_IN rule 10 log 'disable'
set firewall name IPTV_IN rule 10 protocol 'igmp'
set firewall name IPTV_IN rule 20 action 'accept'
set firewall name IPTV_IN rule 20 description 'Allow IPTV-Bell'
set firewall name IPTV_IN rule 20 log 'disable'
set firewall name IPTV_IN rule 20 protocol 'udp'
set firewall name IPTV_IN rule 30 action 'drop'
set firewall name IPTV_IN rule 30 description 'Drop invalid'
set firewall name IPTV_IN rule 30 log 'disable'
set firewall name IPTV_IN rule 30 protocol 'all'
set firewall name IPTV_IN rule 30 state invalid 'enable'
set firewall name IPTV_LOCAL default-action 'drop'
set firewall name IPTV_LOCAL rule 5 action 'accept'
set firewall name IPTV_LOCAL rule 5 description 'Accept established'
set firewall name IPTV_LOCAL rule 5 log 'disable'
set firewall name IPTV_LOCAL rule 5 protocol 'all'
set firewall name IPTV_LOCAL rule 5 source
set firewall name IPTV_LOCAL rule 5 state established 'enable'
set firewall name IPTV_LOCAL rule 5 state related 'enable'
set firewall name IPTV_LOCAL rule 10 action 'accept'
set firewall name IPTV_LOCAL rule 10 description 'Allow IPTV-UDP'
set firewall name IPTV_LOCAL rule 10 log 'disable'
set firewall name IPTV_LOCAL rule 10 protocol 'udp'
set firewall name IPTV_LOCAL rule 20 action 'accept'
set firewall name IPTV_LOCAL rule 20 description 'Allow IGMP'
set firewall name IPTV_LOCAL rule 20 log 'disable'
set firewall name IPTV_LOCAL rule 20 protocol 'igmp'
set firewall name IPTV_LOCAL rule 30 action 'accept'
set firewall name IPTV_LOCAL rule 30 description 'Allow ICMP'
set firewall name IPTV_LOCAL rule 30 log 'disable'
set firewall name IPTV_LOCAL rule 30 protocol 'icmp'
set firewall name IPTV_LOCAL rule 60 action 'drop'
set firewall name IPTV_LOCAL rule 60 description 'Drop invalid'
set firewall name IPTV_LOCAL rule 60 log 'disable'
set firewall name IPTV_LOCAL rule 60 protocol 'all'
set firewall name IPTV_LOCAL rule 60 state invalid 'enable'
set firewall name WAN_IN default-action 'drop'
set firewall name WAN_IN rule 10 action 'accept'
set firewall name WAN_IN rule 10 state established 'enable'
set firewall name WAN_IN rule 10 state related 'enable'
set firewall name WAN_IN rule 11 action 'accept'
set firewall name WAN_IN rule 11 description 'Allow HTTPS'
set firewall name WAN_IN rule 11 destination address '172.16.12.5'
set firewall name WAN_IN rule 11 destination port '443'
set firewall name WAN_IN rule 11 log 'disable'
set firewall name WAN_IN rule 11 protocol 'tcp'
set firewall name WAN_IN rule 11 state new 'enable'
set firewall name WAN_LOCAL default-action 'drop'
set firewall name WAN_LOCAL rule 10 action 'accept'
set firewall name WAN_LOCAL rule 10 state established 'enable'
set firewall name WAN_LOCAL rule 10 state related 'enable'
set firewall name WAN_LOCAL rule 20 action 'accept'
set firewall name WAN_LOCAL rule 20 icmp type-name 'echo-request'
set firewall name WAN_LOCAL rule 20 protocol 'icmp'
set firewall name WAN_LOCAL rule 20 state new 'enable'
set firewall name WAN_LOCAL rule 30 action 'drop'
set firewall name WAN_LOCAL rule 30 destination port '22'
set firewall name WAN_LOCAL rule 30 protocol 'tcp'
set firewall name WAN_LOCAL rule 30 recent count '4'
set firewall name WAN_LOCAL rule 30 recent time '60'
set firewall name WAN_LOCAL rule 30 state new 'enable'
set firewall name WAN_LOCAL rule 31 action 'accept'
set firewall name WAN_LOCAL rule 31 destination port '22'
set firewall name WAN_LOCAL rule 31 protocol 'tcp'
set firewall name WAN_LOCAL rule 31 state new 'enable'
set firewall name WAN_LOCAL rule 32 action 'accept'
set firewall name WAN_LOCAL rule 32 destination port '443'
set firewall name WAN_LOCAL rule 32 protocol 'tcp'
set firewall name WAN_LOCAL rule 32 state new 'enable'
set firewall name WAN_LOCAL rule 33 action 'accept'
set firewall name WAN_LOCAL rule 33 destination port '1195'
set firewall name WAN_LOCAL rule 33 protocol 'udp'
set firewall name WAN_LOCAL rule 33 state new 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces bridge br0 address '172.16.10.1/24'
set interfaces bridge br0 description 'BRIDGE_LAN'
set interfaces bridge br0 member interface eth0
set interfaces bridge br0 member interface eth2
set interfaces ethernet eth0 hw-id 'f4:e9:d4:84:52:50'
set interfaces ethernet eth1 hw-id 'f4:e9:d4:84:52:52'
set interfaces ethernet eth1 mtu '1508'
set interfaces ethernet eth1 vif 35 description 'BELL_INTERNET_VLAN'
set interfaces ethernet eth1 vif 35 mtu '1508'
set interfaces ethernet eth1 vif 36 address 'dhcp'
set interfaces ethernet eth1 vif 36 description 'BELL_IPTV'
set interfaces ethernet eth1 vif 36 firewall in name 'IPTV_IN'
set interfaces ethernet eth1 vif 36 firewall local name 'IPTV_LOCAL'
set interfaces ethernet eth2 hw-id 'b4:2e:99:84:b6:21'
set interfaces ethernet eth3 address '192.168.5.1/24'
set interfaces ethernet eth3 description 'IPTV_LAN'
set interfaces ethernet eth3 hw-id '68:1c:a2:13:48:c5'
set interfaces ethernet eth4 address '172.16.11.1/24'
set interfaces ethernet eth4 description 'WLAN'
set interfaces ethernet eth4 hw-id '68:1c:a2:13:48:c6'
set interfaces ethernet eth4 vif 10 address '192.168.10.1/24'
set interfaces ethernet eth4 vif 10 description 'VLAN10'
set interfaces ethernet eth5 address '172.16.12.1/24'
set interfaces ethernet eth5 description 'SERVER'
set interfaces ethernet eth5 hw-id '68:1c:a2:13:48:c7'
set interfaces ethernet eth6 hw-id '68:1c:a2:13:48:c8'
set interfaces input ifb3 traffic-policy out 'DOWNLOAD'
set interfaces loopback lo
set interfaces pppoe pppoe0 authentication password '****'
set interfaces pppoe pppoe0 authentication user '****'
set interfaces pppoe pppoe0 default-route 'force'
set interfaces pppoe pppoe0 firewall in name 'WAN_IN'
set interfaces pppoe pppoe0 firewall local name 'WAN_LOCAL'
set interfaces pppoe pppoe0 mtu '1500'
set interfaces pppoe pppoe0 redirect 'ifb3'
set interfaces pppoe pppoe0 source-interface 'eth1.35'
set interfaces pppoe pppoe0 traffic-policy out 'UPLOAD'
set interfaces wireguard wg0 address '10.66.58.44/32'
set interfaces wireguard wg0 description 'Mullvad'
set interfaces wireguard wg0 peer wg-peer address '89.36.78.162'
set interfaces wireguard wg0 peer wg-peer allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer wg-peer port '51820'
set interfaces wireguard wg0 peer wg-peer pubkey '****'
set interfaces wireguard wg0 port '1195'
set interfaces wireguard wg0 private-key 'default'
set interfaces wireguard wg1 address '10.69.115.243/32'
set interfaces wireguard wg1 description 'Mullvad2'
set interfaces wireguard wg1 disable
set interfaces wireguard wg1 peer wg-peer2 address '89.36.78.178'
set interfaces wireguard wg1 peer wg-peer2 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg1 peer wg-peer2 port '51819'
set interfaces wireguard wg1 peer wg-peer2 pubkey '****'
set interfaces wireguard wg1 private-key 'wg1'
set nat destination rule 10 description 'Port Forward HTTPS'
set nat destination rule 10 destination port '443'
set nat destination rule 10 inbound-interface 'pppoe0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '172.16.12.5'
set nat source rule 99 outbound-interface 'wg0'
set nat source rule 99 source address '192.168.10.0/24'
set nat source rule 99 translation address 'masquerade'
set nat source rule 100 outbound-interface 'pppoe0'
set nat source rule 100 translation address 'masquerade'
set nat source rule 101 description 'Bell IPTV'
set nat source rule 101 destination address '10.0.0.0/8'
set nat source rule 101 outbound-interface 'eth1.36'
set nat source rule 101 protocol 'all'
set nat source rule 101 translation address 'masquerade'
set policy route VPN rule 10 set table '10'
set policy route VPN rule 10 source address '192.168.10.0/24'
set protocols igmp-proxy interface eth1.36 alt-subnet '224.0.0.0/8'
set protocols igmp-proxy interface eth1.36 alt-subnet '10.0.0.0/8'
set protocols igmp-proxy interface eth1.36 role 'upstream'
set protocols igmp-proxy interface eth1.36 threshold '1'
set protocols igmp-proxy interface eth3 alt-subnet '192.168.5.0/24'
set protocols igmp-proxy interface eth3 role 'downstream'
set protocols igmp-proxy interface eth3 threshold '1'
set protocols static interface-route 10.255.1.0/24 next-hop-interface vtun1
set protocols static route 10.0.0.0/8 next-hop 10.247.48.1 distance '1'
set protocols static table 10 interface-route 0.0.0.0/0 next-hop-interface wg0
set service dhcp-server global-parameters 'option option-138 code 138 = ip-address;'
set service dhcp-server shared-network-name IPTV_LAN subnet 192.168.5.0/24 default-router '192.168.5.1'
set service dhcp-server shared-network-name IPTV_LAN subnet 192.168.5.0/24 dns-server '207.164.234.129'
set service dhcp-server shared-network-name IPTV_LAN subnet 192.168.5.0/24 dns-server '207.164.234.193'
set service dhcp-server shared-network-name IPTV_LAN subnet 192.168.5.0/24 lease '86400'
set service dhcp-server shared-network-name IPTV_LAN subnet 192.168.5.0/24 range 0 start '192.168.5.10'
set service dhcp-server shared-network-name IPTV_LAN subnet 192.168.5.0/24 range 0 stop '192.168.5.254'
set service dhcp-server shared-network-name LAN subnet 172.16.10.0/24 default-router '172.16.10.1'
set service dhcp-server shared-network-name LAN subnet 172.16.10.0/24 dns-server '1.1.1.1'
set service dhcp-server shared-network-name LAN subnet 172.16.10.0/24 dns-server '8.8.8.8'
set service dhcp-server shared-network-name LAN subnet 172.16.10.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 172.16.10.0/24 range 0 start '172.16.10.10'
set service dhcp-server shared-network-name LAN subnet 172.16.10.0/24 range 0 stop '172.16.10.254'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 default-router '172.16.12.1'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 dns-server '1.1.1.1'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 dns-server '8.8.8.8'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 lease '86400'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 range 0 start '172.16.12.10'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 range 0 stop '172.16.12.254'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 static-mapping GloboMine ip-address '172.16.12.4'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 static-mapping GloboMine mac-address '32:08:c6:1b:fe:4e'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 static-mapping LaPetiteReplique ip-address '172.16.12.3'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 static-mapping LaPetiteReplique mac-address '36:38:9e:c2:6c:34'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 static-mapping Proxmox ip-address '172.16.12.10'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 static-mapping Proxmox mac-address 'e2:f7:fa:62:2c:6c'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 static-mapping ReverseProxy ip-address '172.16.12.5'
set service dhcp-server shared-network-name SERVER subnet 172.16.12.0/24 static-mapping ReverseProxy mac-address '66:16:fc:66:06:c7'
set service dhcp-server shared-network-name VLAN10 subnet 192.168.10.0/24 default-router '192.168.10.1'
set service dhcp-server shared-network-name VLAN10 subnet 192.168.10.0/24 dns-server '1.1.1.1'
set service dhcp-server shared-network-name VLAN10 subnet 192.168.10.0/24 dns-server '8.8.8.8'
set service dhcp-server shared-network-name VLAN10 subnet 192.168.10.0/24 lease '86400'
set service dhcp-server shared-network-name VLAN10 subnet 192.168.10.0/24 range 0 start '192.168.10.10'
set service dhcp-server shared-network-name VLAN10 subnet 192.168.10.0/24 range 0 stop '192.168.10.254'
set service dhcp-server shared-network-name WLAN subnet 172.16.11.0/24 default-router '172.16.11.1'
set service dhcp-server shared-network-name WLAN subnet 172.16.11.0/24 dns-server '1.1.1.1'
set service dhcp-server shared-network-name WLAN subnet 172.16.11.0/24 dns-server '8.8.8.8'
set service dhcp-server shared-network-name WLAN subnet 172.16.11.0/24 lease '86400'
set service dhcp-server shared-network-name WLAN subnet 172.16.11.0/24 range 0 start '172.16.11.10'
set service dhcp-server shared-network-name WLAN subnet 172.16.11.0/24 range 0 stop '172.16.11.254'
set service dhcp-server shared-network-name WLAN subnet 172.16.11.0/24 subnet-parameters 'option option-138 ****;'
set service dns dynamic interface pppoe0 service cloudflare host-name '****'
set service dns dynamic interface pppoe0 service cloudflare login '****'
set service dns dynamic interface pppoe0 service cloudflare password '****'
set service dns dynamic interface pppoe0 service cloudflare protocol 'cloudflare'
set service dns dynamic interface pppoe0 service cloudflare zone 'globomine.ca'
set service dns dynamic interface pppoe0 use-web skip 'Current IP Address: '
set service dns dynamic interface pppoe0 use-web url 'http://checkip.dyndns.com/'
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$Kogw7..UJ87oh$slOo4Uln8isHHn/McmRerZN5Upq7xQbzopqw5TvTTlyMnmM3Cw6QwWFcwJiUDk0x3tVdt/UTc9dprNmp91BYU/'
set system login user vyos authentication plaintext-password ''
set system name-server '1.1.1.1'
set system name-server '8.8.8.8'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set traffic-policy shaper DOWNLOAD bandwidth '600mbit'
set traffic-policy shaper DOWNLOAD class 10 bandwidth '20mbit'
set traffic-policy shaper DOWNLOAD class 10 ceiling '60mbit'
set traffic-policy shaper DOWNLOAD class 10 match VLAN10 ip destination address '192.168.10.0/24'
set traffic-policy shaper DOWNLOAD default bandwidth '1mbit'
set traffic-policy shaper DOWNLOAD default ceiling '100%'
set traffic-policy shaper UPLOAD bandwidth '500mbit'
set traffic-policy shaper UPLOAD class 10 bandwidth '50mbit'
set traffic-policy shaper UPLOAD class 10 ceiling '61mbit'
set traffic-policy shaper UPLOAD class 10 match VLAN10 interface 'eth4.10'
set traffic-policy shaper UPLOAD default bandwidth '400mbit'
set traffic-policy shaper UPLOAD default ceiling '100%'

This is the speedtest related to the above config

120332100_806654466749099_304864820624390614_n996×2048 131 KB

After that I commited these two lines

set traffic-policy shaper UPLOAD class 10 bandwidth '90mbit'
set traffic-policy shaper UPLOAD class 10 ceiling '100mbit'

This is my new speedtest

120302396_334032061195883_312810641218127075_n996×2048 149 KB

It doesn’t work with ethernet interface. I tried the samething with my Ethernet WAN and the traffic is not shaping. If I use ip source ‘192.168.10.0/24’, it doesn’t work.

It’s not working for download because redirect doesn’t work with PPPoE…

Do you know what happen? Does the traffic shaping is supposed to work?

Interesting. Before answering your questions, let me please find out what is happening.

How is traffic from that client getting into interface eth4.10?
Is that traffic tagged or untagged?

The wireless access point SSID tag the VLAN

Regarding your question here:

When looking at the numbers, it looks like you are not being matched by class 12, but by default. I guess the first thing I would do is to check the IP address of that client is within 192.168.1.0/24.

Would you please show me the outcome of

tcpdump -eni eth4 -c30

Executing it while you are doing that speed test from your Wi-Fi client.

Thanks for sharing by Kalyan

This is the result during the Upload speedtest from my wifi client

11:35:06.149138 68:1c:a2:13:48:c6 > e8:e8:b7:8d:a8:26, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 184.150.167.222.8080 > 192.168.10.10.53198: Flags [.], ack 3188627363, win 4887, options [nop,nop,TS val 2118932517 ecr 6914963], length 0
11:35:06.149165 68:1c:a2:13:48:c6 > e8:e8:b7:8d:a8:26, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 184.150.167.222.8080 > 192.168.10.10.53192: Flags [.], ack 2542647289, win 4752, options [nop,nop,TS val 2118932517 ecr 6914963], length 0
11:35:06.149192 68:1c:a2:13:48:c6 > e8:e8:b7:8d:a8:26, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 184.150.167.222.8080 > 192.168.10.10.53196: Flags [.], ack 1437050607, win 7059, options [nop,nop,TS val 2118932517 ecr 6914963], length 0
11:35:06.149677 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53196 > 184.150.167.222.8080: Flags [.], seq 34753:36201, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932510], length 1448: HTTP
11:35:06.149711 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53196 > 184.150.167.222.8080: Flags [.], seq 36201:37649, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932510], length 1448: HTTP
11:35:06.149730 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53198 > 184.150.167.222.8080: Flags [.], seq 39097:40545, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932510], length 1448: HTTP
11:35:06.149748 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53198 > 184.150.167.222.8080: Flags [.], seq 40545:41993, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932510], length 1448: HTTP
11:35:06.149766 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53200 > 184.150.167.222.8080: Flags [.], seq 2973306264:2973307712, ack 3411217281, win 343, options [nop,nop,TS val 6914964 ecr 2118932510], length 1448: HTTP
11:35:06.149794 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53200 > 184.150.167.222.8080: Flags [.], seq 1448:2896, ack 1, win 343, options [nop,nop,TS val 6914964 ecr 2118932510], length 1448: HTTP
11:35:06.149817 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53192 > 184.150.167.222.8080: Flags [.], seq 44889:46337, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932510], length 1448: HTTP
11:35:06.149835 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53192 > 184.150.167.222.8080: Flags [.], seq 46337:47785, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932510], length 1448: HTTP
11:35:06.149853 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53196 > 184.150.167.222.8080: Flags [.], seq 37649:39097, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932511], length 1448: HTTP
11:35:06.149871 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53196 > 184.150.167.222.8080: Flags [.], seq 39097:40545, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932512], length 1448: HTTP
11:35:06.149931 68:1c:a2:13:48:c6 > e8:e8:b7:8d:a8:26, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 184.150.167.222.8080 > 192.168.10.10.53200: Flags [.], ack 4294918064, win 2953, options [nop,nop,TS val 2118932517 ecr 6914962], length 0
11:35:06.149950 68:1c:a2:13:48:c6 > e8:e8:b7:8d:a8:26, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 184.150.167.222.8080 > 192.168.10.10.53198: Flags [.], ack 2897, win 4887, options [nop,nop,TS val 2118932517 ecr 6914963], length 0
11:35:06.149968 68:1c:a2:13:48:c6 > e8:e8:b7:8d:a8:26, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 184.150.167.222.8080 > 192.168.10.10.53192: Flags [.], ack 2897, win 4752, options [nop,nop,TS val 2118932517 ecr 6914963], length 0
11:35:06.150790 68:1c:a2:13:48:c6 > e8:e8:b7:8d:a8:26, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 184.150.167.222.8080 > 192.168.10.10.53196: Flags [.], ack 2897, win 7059, options [nop,nop,TS val 2118932518 ecr 6914963], length 0
11:35:06.150815 68:1c:a2:13:48:c6 > e8:e8:b7:8d:a8:26, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 184.150.167.222.8080 > 192.168.10.10.53200: Flags [.], ack 4294920960, win 2953, options [nop,nop,TS val 2118932518 ecr 6914962], length 0
11:35:06.150839 68:1c:a2:13:48:c6 > e8:e8:b7:8d:a8:26, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 184.150.167.222.8080 > 192.168.10.10.53198: Flags [.], ack 5793, win 4887, options [nop,nop,TS val 2118932518 ecr 6914963], length 0
11:35:06.150863 68:1c:a2:13:48:c6 > e8:e8:b7:8d:a8:26, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 184.150.167.222.8080 > 192.168.10.10.53192: Flags [.], ack 5793, win 4752, options [nop,nop,TS val 2118932518 ecr 6914963], length 0
11:35:06.150990 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53200 > 184.150.167.222.8080: Flags [.], seq 2896:4344, ack 1, win 343, options [nop,nop,TS val 6914964 ecr 2118932513], length 1448: HTTP
11:35:06.151019 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53192 > 184.150.167.222.8080: Flags [.], seq 47785:49233, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932512], length 1448: HTTP
11:35:06.151039 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53200 > 184.150.167.222.8080: Flags [.], seq 4344:5792, ack 1, win 343, options [nop,nop,TS val 6914964 ecr 2118932513], length 1448: HTTP
11:35:06.151057 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53198 > 184.150.167.222.8080: Flags [.], seq 41993:43441, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932512], length 1448: HTTP
11:35:06.151075 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53192 > 184.150.167.222.8080: Flags [.], seq 49233:50681, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932512], length 1448: HTTP
11:35:06.151093 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53198 > 184.150.167.222.8080: Flags [.], seq 43441:44889, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932512], length 1448: HTTP
11:35:06.151121 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53200 > 184.150.167.222.8080: Flags [.], seq 5792:7240, ack 1, win 343, options [nop,nop,TS val 6914964 ecr 2118932513], length 1448: HTTP
11:35:06.151144 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53196 > 184.150.167.222.8080: Flags [.], seq 40545:41993, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932512], length 1448: HTTP
11:35:06.151162 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53196 > 184.150.167.222.8080: Flags [.], seq 41993:43441, ack 0, win 343, options [nop,nop,TS val 6914964 ecr 2118932512], length 1448: HTTP
11:35:06.151179 e8:e8:b7:8d:a8:26 > 68:1c:a2:13:48:c6, ethertype 802.1Q (0x8100), length 1518: vlan 10, p 0, ethertype IPv4, 192.168.10.10.53200 > 184.150.167.222.8080: Flags [.], seq 7240:8688, ack 1, win 343, options [nop,nop,TS val 6914964 ecr 2118932513], length 1448: HTTP

Thank you.

There seems to be a bug. VLAN traffic can be used as matching criteria when the policy is applied to a client PPPoE interface. It fails when applying the policy to an Ethernet interface. I reported the bug.

https://phabricator.vyos.net/T2942

Yes. I’m afraid you are facing two bugs!

Please subscribe to both Phabricator tasks to be notified when they are fixed.

Thanks!

Even with ip source ‘192.168.10.0/24’, it doesn’t match. For ethernet and PPPoE. Is this a bug here too?

As far as I know it should work, but we would need more information. Please send the config and a diagram (or explanation of your setup) and explain what the problem is now.

This is the schema of my DHCP WAN and Router

Untitled Document1240×636 29.5 KB

This is my config

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name LAN_IN default-action 'accept'
set firewall name LAN_IN rule 10 action 'drop'
set firewall name LAN_IN rule 10 destination address '192.168.0.0/16'
set firewall name LAN_IN rule 10 source address '192.168.0.0/16'
set firewall name WAN_IN default-action 'drop'
set firewall name WAN_IN rule 10 action 'accept'
set firewall name WAN_IN rule 10 state established 'enable'
set firewall name WAN_IN rule 10 state related 'enable'
set firewall name WAN_LOCAL default-action 'drop'
set firewall name WAN_LOCAL rule 10 action 'accept'
set firewall name WAN_LOCAL rule 10 state established 'enable'
set firewall name WAN_LOCAL rule 10 state related 'enable'
set firewall name WAN_LOCAL rule 20 action 'accept'
set firewall name WAN_LOCAL rule 20 icmp type-name 'echo-request'
set firewall name WAN_LOCAL rule 20 protocol 'icmp'
set firewall name WAN_LOCAL rule 20 state new 'enable'
set firewall name WAN_LOCAL rule 30 action 'drop'
set firewall name WAN_LOCAL rule 30 destination port '22'
set firewall name WAN_LOCAL rule 30 protocol 'tcp'
set firewall name WAN_LOCAL rule 30 recent count '4'
set firewall name WAN_LOCAL rule 30 recent time '60'
set firewall name WAN_LOCAL rule 30 state new 'enable'
set firewall name WAN_LOCAL rule 31 action 'accept'
set firewall name WAN_LOCAL rule 31 destination port '22'
set firewall name WAN_LOCAL rule 31 protocol 'tcp'
set firewall name WAN_LOCAL rule 31 state new 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 firewall in name 'WAN_IN'
set interfaces ethernet eth0 firewall local name 'WAN_LOCAL'
set interfaces ethernet eth0 hw-id '00:a0:c9:69:80:7b'
set interfaces ethernet eth0 traffic-policy out 'UPLOAD'
set interfaces ethernet eth1 address '192.168.1.1/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 firewall in name 'LAN_IN'
set interfaces ethernet eth1 hw-id '00:a0:c9:69:80:7c'
set interfaces ethernet eth2 hw-id '00:a0:c9:69:80:7d'
set interfaces ethernet eth3 hw-id '00:a0:c9:69:80:7e'
set interfaces loopback lo
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 translation address 'masquerade'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router '192.168.1.1'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server '1.1.1.1'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server '8.8.8.8'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 start '192.168.1.10'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 stop '192.168.1.254'
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$9RjedjecvB9$GhTyfAOg2RRc77gPFa64SOZqE714md1cXh3L9w6HIiVagqjuNIBLobDW/pQJmNlwj6OzA4Ul/ZpqvLzoV.O.l/'
set system login user vyos authentication plaintext-password ''
set system name-server '1.1.1.1'
set system name-server '8.8.8.8'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'America/Montreal'
set traffic-policy shaper UPLOAD bandwidth '10mbit'
set traffic-policy shaper UPLOAD class 10 bandwidth '5mbit'
set traffic-policy shaper UPLOAD class 10 ceiling '5mbit'
set traffic-policy shaper UPLOAD class 10 match LAN ip source address '192.168.1.0/24'
set traffic-policy shaper UPLOAD default bandwidth '1kbit'
set traffic-policy shaper UPLOAD default ceiling '100%'

This is my speedtest from the PC 192.168.1.5

2020-10-02 11_51_29-Speedtest by Ookla - The Global Broadband Speed Test748×135 12.4 KB

With ip source, no shaping is done…

Weird!

Can you please modify class 10 ceiling value and do the test again?

I would like to know if it is somehow inaccurately working.

I changed the ceiling value for ‘6mbit’

set traffic-policy shaper UPLOAD class 10 ceiling '6mbit'

Still no shaping…

2020-10-05 07_53_14-Speedtest by Ookla - The Global Broadband Speed Test750×128 12.6 KB

Is there any chance you can try any of the following tests? (Or even better if you can try both)

• Test it without NAT.
• Keep your NAT but test it with real traffic. I mean upload a real file, and check the speed without using any speed-test tool that creates artificial traffic.

I’m not sure, I wonder if that speed-test tool, when used with NAT could create some problem, like leaky NAT.

How can I disable nat? Because if I remove the masquerade on the WAN, I will not have access to internet.

I tried to set static route to route traffic from LAN to WAN but it didn’t work

On the first option I mean either testing it from private address to private address, or from public address to public address.

You can also go for the second option.

With option two, nothing is shaped. Upload speed to mega.nz is the same as the speedtest shown me.

Nothing is shape when upload from private address to private address because traffic shaping is applied on the WAN port not the LAN port.

I did a tcpdump and look packets with WireShark.

Addresses on eth0 is not 192.168.1.5 but the WAN IP. How traffic shaping translate this? Is this the job of the NAT?

Is it possible that the traffic shaping is done before NAT and the source/destination address is the WAN instead of the LAN client IP? It could explain why it doesn’t match class.

EDIT:

I confirm that traffic shaper is done before NAT and that’s why class are not matched. If I use WAN IP as ip source

image733×34 2.4 KB

The shaper is matching the class. I don’t know if it’s normal that shaper is done before translating address?